Check the rights on your installation files and folders. No directories except data_store, data_cache and the templates_c folder need to be writable by the webserver. And those directories need to be writable only by the webserver, there is no need to have them world-writable.

The data_store and data_cache folders may contain files that are not meant to be accessible from outside of more.groupware. Thus you should restrict access to them. .htaccess files are already present, but you should check if they work. Depending on your webservers configuration the usage of .htaccess files may be restricted. If you are not using the Apache webserver, take similar measures for your setup.

Additionally you should make them only accessible to the webserver user and/or group on filesystem level, by changing folder access permissions accordingly, if they allow access to others.

If you are concerned about cross-site scripting attacks, you should remember that those are almost always used to hijack a session. Because you can lock your session to an IP address in more.groupware (this is true by default), having access to the session ID doesn't give you access to the session in most cases.

And you need a valid login to the system to be able to inject such malicious content. And if you can't trust your users, secure software is only worth that much.

You may delete the setup/ folder after successfully installing your moregroupware.

Think about the scripts in the scripts/ folder of moregroupware, some might give others the possibility to gather information about your system, you would rather like to keep private (e.g. systeminfo.php). You should restrict access to this folder or move it elsewhere. If you don't need it's contents, you can safely delete it.

If you use moregroupware outside of a closed network environment, consider using SSL. moregroupware is completely SSL-transparent, i.e. you can use it without any changes on an SSL-enabled webserver.

There is no need to worry about the sess_* files in your webserver's /tmp directory, as long as these files are only readable by the user your webserver runs as. You don't need to delete them as well, PHP will do this automatically with a given probability after a session expired. See the PHP manual for more information.